Gitlab reports unauthorized pipeline execution flaw, urges patching of CE and EE versions
Take action: If you are using self-hosted Gitlab CE/EE, time to update. The flaw is quite severe, and unless your Gitlab server is locked from internet access you need to apply ASAP. Just be prepared for the breaking changes - you will need to adjust to them since the alternative is being hacked.
Learn More
GitLab is reporting a critical security vulnerability affecting its Community Edition (CE) and Enterprise Edition (EE) products. The flaw, tracked as CVE-2024-5655 (CVSS score 9.6), allows attackers to run pipelines as any user under certain unspecified circumstances. GitLab pipelines, part of the CI/CD system, automate tasks such as building, testing, and deploying code.
Affected Versions:
- GitLab CE/EE versions from 15.8 to 16.11.4
- GitLab CE/EE versions 17.0.0 to 17.0.2
- GitLab CE/EE version 17.1.0
The flaw has been patched in versions:
- GitLab CE/EE version 17.1.1
- GitLab CE/EE version 17.0.3
- GitLab CE/EE version 16.11.5
GitLab also fixed 13 additional vulnerabilities, including three high-severity issues:
The patched release involves breaking changes:
-
Pipeline Execution: Pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged. Users must manually start the pipeline to execute CI for their changes.
-
GraphQL Authentication: CI_JOB_TOKEN is now disabled by default for GraphQL authentication starting from version 17.0.0, with this change backported to versions 17.0.3 and 16.11.5. Users need to configure one of the supported token types for GraphQL API access.
